Reversing FreeRTOS on embedded devices
RECON-BRX-2017-FreeRTOS_Embedded_Reversing RECON-BRX-2017-FreeRTOS_Embedded_Reversing
Reverse engineering on Embedded • String analysis does not help • There are no syscalls on
The entry point • STM32 has some default interrupts which are controlled by handlers. • In order to know where is each handler there is table called Interrupt Vector Table, which holds the address for each interrupt. • One of these interrupts is the reset. • What is boot rather then a reset interrupt?! 31 RECON 2017 Brussels
- Page 1 and 2: Reversing
- Page 3 and 4: About us - Vladan • Senior Managi
- Page 5 and 6: Why? • Recent project challenges
- Page 7 and 8: …To Embedded • Usually around s
- Page 9 and 10: Tools of choice • IDA Pro • Cap
- Page 11 and 12: Main constraints • Limited amount
- Page 13 and 14: Software Requirements • Needs to
- Page 15 and 16: Supported high level functionalitie
- Page 17 and 18: FreeRTOS main comp
- Page 19 and 20: ̶ ̶ ̶ Security Features overview
- Page 21 and 22: ̶ ̶ Sample application • Sample
- Page 23 and 24: Application architecture C O R E Bu
- Page 25 and 26: Run // LED connected to GPIO port P
- Page 27 and 28: What is next? • Now we have creat
- Page 29: Reverse engineering on embedded sys
- Page 33 and 34: The entry point - IVT raw • Conte
- Page 35 and 36: The entry point - Reset Handler Now
- Page 37 and 38: Reverse engineering on STM32F0 •
- Page 39 and 40: IDA Plugin - Functions manipulating
- Page 41 and 42: Reverse engineering on STM32F0 •
- Page 43 and 44: Critical code decoding and listing
- Page 45 and 46: Interesting registers 45 RECON 2017
- Page 47: THANK YOU
Reverse engineering <strong>on</strong> Embedded<br />
• String analysis does not help<br />
• There are no syscalls <strong>on</strong> <str<strong>on</strong>g>FreeRTOS</str<strong>on</strong>g><br />
• There is no memory protecti<strong>on</strong><br />
• IDA by default will not detect the Entry point.<br />
……… can we find the Entry point ?<br />
30 RECON 2017 Brussels